diff --git a/mkosi.images/minimal-0/mkosi.conf b/mkosi.images/minimal-0/mkosi.conf
new file mode 100644
index 00000000000..3315d4b4a9c
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no
diff --git a/mkosi.images/minimal-0/mkosi.extra/opt/some_file b/mkosi.images/minimal-0/mkosi.extra/opt/some_file
new file mode 100644
index 00000000000..bd4fba4dfea
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.extra/opt/some_file
@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
diff --git a/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service b/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
new file mode 100644
index 00000000000..0532112f764
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120
diff --git a/mkosi.images/minimal-0/mkosi.postinst b/mkosi.images/minimal-0/mkosi.postinst
new file mode 100755
index 00000000000..a66cf68465a
--- /dev/null
+++ b/mkosi.images/minimal-0/mkosi.postinst
@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=1
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service"
diff --git a/mkosi.images/minimal-1/mkosi.conf b/mkosi.images/minimal-1/mkosi.conf
new file mode 100644
index 00000000000..3315d4b4a9c
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Distribution]
+CacheOnly=always
+
+[Output]
+Format=portable
+SplitArtifacts=yes
+
+[Content]
+BaseTrees=%O/minimal-base
+Environment=SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs
+Bootable=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+[Host]
+Incremental=no
diff --git a/mkosi.images/minimal-1/mkosi.extra/opt/some_file b/mkosi.images/minimal-1/mkosi.extra/opt/some_file
new file mode 100644
index 00000000000..bd4fba4dfea
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.extra/opt/some_file
@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
diff --git a/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service b/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
new file mode 100644
index 00000000000..0532112f764
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.extra/usr/lib/systemd/system/minimal-app0.service
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Service]
+ExecStartPre=cat /usr/lib/os-release
+ExecStart=sleep 120
diff --git a/mkosi.images/minimal-1/mkosi.postinst b/mkosi.images/minimal-1/mkosi.postinst
new file mode 100755
index 00000000000..e2d08d04d88
--- /dev/null
+++ b/mkosi.images/minimal-1/mkosi.postinst
@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+
+mkdir -p "$BUILDROOT/var/lib/app1"
+
+cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
+MARKER=2
+PORTABLE_PREFIXES=app0 minimal minimal-app0
+EOF
+cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service"
diff --git a/mkosi.images/minimal-base/mkosi.conf b/mkosi.images/minimal-base/mkosi.conf
new file mode 100644
index 00000000000..afc70b87a06
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+@Locale=C.UTF-8
+WithDocs=no
+
+BuildSources=
+Packages=
+BuildPackages=
+VolatilePackages=
+
+Packages=
+        bash
+        coreutils
+        grep
+        util-linux
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
new file mode 100644
index 00000000000..25edbc526a3
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+        inetutils
+        iproute
+        openbsd-netcat
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 00000000000..3a3e5286402
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+        hostname
+        iproute
+        iproute-tc
+        netcat
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
new file mode 100644
index 00000000000..a715ec1f6c8
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+        hostname
+        iproute2
+        mount
+        netcat-openbsd
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 00000000000..2e370ec04f4
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+        hostname
+        iproute2
+        netcat-openbsd
+        patterns-base-minimal_base
diff --git a/mkosi.images/minimal-base/mkosi.extra/etc/os-release b/mkosi.images/minimal-base/mkosi.extra/etc/os-release
new file mode 120000
index 00000000000..c4c75b419cf
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.extra/etc/os-release
@@ -0,0 +1 @@
+../usr/lib/os-release
\ No newline at end of file
diff --git a/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf b/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf
new file mode 100644
index 00000000000..d2c5ef45996
--- /dev/null
+++ b/mkosi.images/minimal-base/mkosi.extra/etc/resolv.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# This is a stub resolv.conf intended as a mountpoint for the host's resolv.conf
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf
index a65caf58d81..b124c5c94a7 100644
--- a/mkosi.images/system/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf
@@ -1,5 +1,10 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+[Config]
+Dependencies=
+        minimal-0
+        minimal-1
+
 [Output]
 @Format=directory
 
@@ -7,6 +12,12 @@
 Autologin=yes
 ExtraTrees=
         %D/mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
+        %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
+        %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
+        %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
+        %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
+        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
+        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
 
 Packages=
         acl
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
index 843b96d9a61..053f11be55c 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -6,3 +6,4 @@ Distribution=centos
 [Content]
 Packages=
         rpmautospec-rpm-macros
+        kernel-modules # For squashfs
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index d1052694aa7..61a8e311e36 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -73,3 +73,7 @@ if command -v sbsign &>/dev/null; then
     ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
     ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
 fi
+
+for f in "$BUILDROOT"/usr/share/*.verity.sig; do
+    jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+done
diff --git a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh
index 1d1dab43c30..c05573595bc 100755
--- a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh
+++ b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh
@@ -12,6 +12,7 @@ has_user_dbus_socket || exit 0
 test_require_bin mksquashfs
 
 test_append_files() {
+    inst_binary mksquashfs
     inst_binary unsquashfs
     install_verity_minimal
 }
diff --git a/test/meson.build b/test/meson.build
index bd25e94276c..f8e40fa0065 100644
--- a/test/meson.build
+++ b/test/meson.build
@@ -338,6 +338,9 @@ integration_test_wrapper = find_program('integration-test-wrapper.py')
 integration_tests = {
         '01': 'TEST-01-BASIC',
         '02': 'TEST-02-UNITTESTS',
+        '29': 'TEST-29-PORTABLE',
+        '43': 'TEST-43-PRIVATEUSER-UNPRIV',
+        '50': 'TEST-50-DISSECT',
 }
 foreach test_number, dirname : integration_tests
         test_params = {
diff --git a/test/test-functions b/test/test-functions
index 67896fb30f6..c5a7216c06c 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -783,109 +783,6 @@ EOF
         mksquashfs "$initdir" "$oldinitdir/usr/share/minimal_1.raw" -noappend
         veritysetup format "$oldinitdir/usr/share/minimal_1.raw" "$oldinitdir/usr/share/minimal_1.verity" | \
             grep '^Root hash:' | cut -f2 | tr -d '\n' >"$oldinitdir/usr/share/minimal_1.roothash"
-
-        # Rolling distros like Arch do not set VERSION_ID
-        local version_id=""
-        if grep -q "^VERSION_ID=" "$os_release"; then
-            version_id="$(grep "^VERSION_ID=" "$os_release")"
-        fi
-
-        export initdir="$TESTDIR/app0"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
-        grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app0"
-        echo "${version_id}" >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
-        ( echo "${version_id}"
-          echo "SYSEXT_IMAGE_ID=app" ) >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
-        cat >"$initdir/usr/lib/systemd/system/app0.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/opt/script0.sh
-TemporaryFileSystem=/var/lib
-StateDirectory=app0
-RuntimeDirectory=app0
-EOF
-        cat >"$initdir/opt/script0.sh" <<EOF
-#!/bin/bash
-set -e
-test -e /usr/lib/os-release
-echo bar >\${STATE_DIRECTORY}/foo
-cat /usr/lib/extension-release.d/extension-release.app0
-EOF
-        chmod +x "$initdir/opt/script0.sh"
-        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app0.raw" -noappend
-
-        export initdir="$TESTDIR/conf0"
-        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt"
-        grep "^ID=" "$os_release" >"$initdir/etc/extension-release.d/extension-release.conf0"
-        echo "${version_id}" >>"$initdir/etc/extension-release.d/extension-release.conf0"
-        ( echo "${version_id}"
-          echo "CONFEXT_IMAGE_ID=app" ) >>"$initdir/etc/extension-release.d/extension-release.conf0"
-        echo MARKER_1 >"$initdir/etc/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/conf0.raw" -noappend
-
-        export initdir="$TESTDIR/app1"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
-        grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app2"
-        ( echo "${version_id}"
-          echo "SYSEXT_SCOPE=portable"
-          echo "SYSEXT_IMAGE_ID=app"
-          echo "SYSEXT_IMAGE_VERSION=1"
-          echo "PORTABLE_PREFIXES=app1" ) >>"$initdir/usr/lib/extension-release.d/extension-release.app2"
-        setfattr -n user.extension-release.strict -v false "$initdir/usr/lib/extension-release.d/extension-release.app2"
-        cat >"$initdir/usr/lib/systemd/system/app1.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/opt/script1.sh
-StateDirectory=app1
-RuntimeDirectory=app1
-EOF
-        cat >"$initdir/opt/script1.sh" <<EOF
-#!/bin/bash
-set -e
-test -e /usr/lib/os-release
-echo baz >\${STATE_DIRECTORY}/foo
-cat /usr/lib/extension-release.d/extension-release.app2
-EOF
-        chmod +x "$initdir/opt/script1.sh"
-        echo MARKER=1 >"$initdir/usr/lib/systemd/system/other_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app1.raw" -noappend
-
-        export initdir="$TESTDIR/app-nodistro"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
-        ( echo "ID=_any"
-          echo "ARCHITECTURE=_any" ) >"$initdir/usr/lib/extension-release.d/extension-release.app-nodistro"
-        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app-nodistro.raw" -noappend
-
-        export initdir="$TESTDIR/service-scoped-test"
-        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system"
-        ( echo "ID=_any"
-          echo "ARCHITECTURE=_any" ) >"$initdir/etc/extension-release.d/extension-release.service-scoped-test"
-        echo MARKER_CONFEXT_123 >"$initdir/etc/systemd/system/some_file"
-        mksquashfs "$initdir" "$oldinitdir/etc/service-scoped-test.raw" -noappend
-
-        # We need to create a dedicated sysext image to test the reload mechanism. If we share an image to install the
-        # 'foo.service' it will be loaded from another test run, which will impact the targeted test.
-        export initdir="$TESTDIR/app-reload"
-        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
-        ( echo "ID=_any"
-          echo "ARCHITECTURE=_any"
-          echo "EXTENSION_RELOAD_MANAGER=1" ) >"$initdir/usr/lib/extension-release.d/extension-release.app-reload"
-        mkdir -p "$initdir/usr/lib/systemd/system/multi-user.target.d"
-        cat >"${initdir}/usr/lib/systemd/system/foo.service" <<EOF
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=echo foo
-
-[Install]
-WantedBy=multi-user.target
-EOF
-        { echo "[Unit]"; echo "Upholds=foo.service"; } > "$initdir/usr/lib/systemd/system/multi-user.target.d/10-foo-service.conf"
-        mksquashfs "$initdir" "$oldinitdir/usr/share/app-reload.raw" -noappend
     )
 }
 
diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh
index 4c0f1ba3293..27c24a0e6cc 100755
--- a/test/units/testsuite-29.sh
+++ b/test/units/testsuite-29.sh
@@ -5,6 +5,11 @@
 set -eux
 set -o pipefail
 
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+install_extension_images
+
 # Set longer timeout for slower machines, e.g. non-KVM vm.
 mkdir -p /run/systemd/system.conf.d
 cat >/run/systemd/system.conf.d/10-timeout.conf <<EOF
@@ -31,9 +36,9 @@ fi
 
 systemd-dissect --no-pager /usr/share/minimal_0.raw | grep -q '✓ portable service'
 systemd-dissect --no-pager /usr/share/minimal_1.raw | grep -q '✓ portable service'
-systemd-dissect --no-pager /usr/share/app0.raw | grep -q '✓ sysext for portable service'
-systemd-dissect --no-pager /usr/share/app1.raw | grep -q '✓ sysext for portable service'
-systemd-dissect --no-pager /usr/share/conf0.raw | grep -q '✓ confext for portable service'
+systemd-dissect --no-pager /tmp/app0.raw | grep -q '✓ sysext for portable service'
+systemd-dissect --no-pager /tmp/app1.raw | grep -q '✓ sysext for portable service'
+systemd-dissect --no-pager /tmp/conf0.raw | grep -q '✓ confext for portable service'
 
 export SYSTEMD_LOG_LEVEL=debug
 mkdir -p /run/systemd/system/systemd-portabled.service.d/
@@ -117,7 +122,7 @@ portablectl detach --now --enable --runtime /tmp/minimal_1 minimal-app0
 portablectl list | grep -q -F "No images."
 busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1
 
-portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
 
 systemctl is-active app0.service
 status="$(portablectl is-attached --extension app0 minimal_0)"
@@ -127,7 +132,7 @@ grep -q -F "LogExtraFields=PORTABLE_ROOT=minimal_0.raw" /run/systemd/system.atta
 grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0.raw" /run/systemd/system.attached/app0.service.d/20-portable.conf
 grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf
 
-portablectl "${ARGS[@]}" reattach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0
+portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app0.raw /usr/share/minimal_1.raw app0
 
 systemctl is-active app0.service
 status="$(portablectl is-attached --extension app0 minimal_1)"
@@ -137,12 +142,12 @@ grep -q -F "LogExtraFields=PORTABLE_ROOT=minimal_1.raw" /run/systemd/system.atta
 grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0.raw" /run/systemd/system.attached/app0.service.d/20-portable.conf
 grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf
 
-portablectl detach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0
+portablectl detach --now --runtime --extension /tmp/app0.raw /usr/share/minimal_1.raw app0
 
 # Ensure versioned images are accepted without needing to use --force to override the extension-release
 # matching
 
-cp /usr/share/app0.raw /tmp/app0_1.0.raw
+cp /tmp/app0.raw /tmp/app0_1.0.raw
 portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_0.raw app0
 
 systemctl is-active app0.service
@@ -152,28 +157,28 @@ status="$(portablectl is-attached --extension app0_1 minimal_0)"
 portablectl detach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_1.raw app0
 rm -f /tmp/app0_1.0.raw
 
-portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
 
 systemctl is-active app1.service
 status="$(portablectl is-attached --extension app1 minimal_0)"
 [[ "${status}" == "running-runtime" ]]
 
 # Ensure that adding or removing a version to the image doesn't break reattaching
-cp /usr/share/app1.raw /tmp/app1_2.raw
+cp /tmp/app1.raw /tmp/app1_2.raw
 portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app1_2.raw /usr/share/minimal_1.raw app1
 
 systemctl is-active app1.service
 status="$(portablectl is-attached --extension app1_2 minimal_1)"
 [[ "${status}" == "running-runtime" ]]
 
-portablectl "${ARGS[@]}" reattach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_1.raw app1
+portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app1.raw /usr/share/minimal_1.raw app1
 
 systemctl is-active app1.service
 status="$(portablectl is-attached --extension app1 minimal_1)"
 [[ "${status}" == "running-runtime" ]]
 
-portablectl detach --force --no-reload --runtime --extension /usr/share/app1.raw /usr/share/minimal_1.raw app1
-portablectl "${ARGS[@]}" attach --force --no-reload --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl detach --force --no-reload --runtime --extension /tmp/app1.raw /usr/share/minimal_1.raw app1
+portablectl "${ARGS[@]}" attach --force --no-reload --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
 systemctl daemon-reload
 systemctl restart app1.service
 
@@ -181,11 +186,11 @@ systemctl is-active app1.service
 status="$(portablectl is-attached --extension app1 minimal_0)"
 [[ "${status}" == "running-runtime" ]]
 
-portablectl detach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl detach --now --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
 
 # Ensure vpick works, including reattaching to a new image
 mkdir -p /tmp/app1.v/
-cp /usr/share/app1.raw /tmp/app1.v/app1_1.0.raw
+cp /tmp/app1.raw /tmp/app1.v/app1_1.0.raw
 cp /tmp/app1_2.raw /tmp/app1.v/app1_2.0.raw
 portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app1.v/ /usr/share/minimal_1.raw app1
 
@@ -210,7 +215,7 @@ grep -q -F bar "${STATE_DIRECTORY}/app0/foo"
 grep -q -F baz "${STATE_DIRECTORY}/app1/foo"
 
 # Ensure that we can override the check on extension-release.NAME
-cp /usr/share/app0.raw /tmp/app10.raw
+cp /tmp/app0.raw /tmp/app10.raw
 portablectl "${ARGS[@]}" attach --force --now --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0
 
 systemctl is-active app0.service
@@ -226,28 +231,28 @@ systemctl stop app0.service
 portablectl detach --force --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0
 
 # portablectl also accepts confexts
-portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw app0
 
 systemctl is-active app0.service
-status="$(portablectl is-attached --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw)"
+status="$(portablectl is-attached --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw)"
 [[ "${status}" == "running-runtime" ]]
 
-portablectl inspect --force --cat --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /usr/share/conf0.raw"
+portablectl inspect --force --cat --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /tmp/conf0.raw"
 
-portablectl detach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0
+portablectl detach --now --runtime --extension /tmp/app0.raw --extension /tmp/conf0.raw /usr/share/minimal_0.raw app0
 
 # Ensure that mixed mode copies the images and units (client-owned) but symlinks the profile (OS owned)
-portablectl "${ARGS[@]}" attach --copy=mixed --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --copy=mixed --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
 test -f /run/portables/app0.raw
 test -f /run/portables/minimal_0.raw
 test -f /run/systemd/system.attached/app0.service
 test -L /run/systemd/system.attached/app0.service.d/10-profile.conf
-portablectl detach --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
+portablectl detach --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
 
 # Ensure that when two portables share the same base image, removing one doesn't remove the other too
 
-portablectl "${ARGS[@]}" attach --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0
-portablectl "${ARGS[@]}" attach --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1
+portablectl "${ARGS[@]}" attach --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
+portablectl "${ARGS[@]}" attach --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app1
 
 status="$(portablectl is-attached --extension app0 minimal_0)"
 [[ "${status}" == "attached-runtime" ]]
@@ -267,18 +272,18 @@ portablectl list | grep -F "minimal_0" | grep -q -F "attached-runtime"
 portablectl list | grep -F "app0" | grep -q -F "attached-runtime"
 portablectl list | grep -F "app1" | grep -q -F "attached-runtime"
 
-portablectl detach --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app
+portablectl detach --runtime --extension /tmp/app0.raw /usr/share/minimal_0.raw app
 
 status="$(portablectl is-attached --extension app1 minimal_0)"
 [[ "${status}" == "attached-runtime" ]]
 
-portablectl detach --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app
+portablectl detach --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app
 
 # portablectl also works with directory paths rather than images
 
 mkdir /tmp/rootdir /tmp/app0 /tmp/app1 /tmp/overlay /tmp/os-release-fix /tmp/os-release-fix/etc
-mount /usr/share/app0.raw /tmp/app0
-mount /usr/share/app1.raw /tmp/app1
+mount /tmp/app0.raw /tmp/app0
+mount /tmp/app1.raw /tmp/app1
 mount /usr/share/minimal_0.raw /tmp/rootdir
 
 # Fix up os-release to drop the valid PORTABLE_SERVICES field (because we are
diff --git a/test/units/testsuite-43.sh b/test/units/testsuite-43.sh
index c1204685938..165af47f152 100755
--- a/test/units/testsuite-43.sh
+++ b/test/units/testsuite-43.sh
@@ -6,6 +6,8 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
+install_extension_images
+
 if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
     echo "Cannot create unprivileged user namespaces" >/skipped
     exit 77
@@ -130,7 +132,7 @@ umount /tmp/img_bind
 # Unprivileged overlayfs was added to Linux 5.11, so try to detect it first
 mkdir -p /tmp/a /tmp/b /tmp/c
 if unshare --mount --user --map-root-user mount -t overlay overlay /tmp/c -o lowerdir=/tmp/a:/tmp/b; then
-    unsquashfs -no-xattrs -d /tmp/app2 /usr/share/app1.raw
+    unsquashfs -no-xattrs -d /tmp/app2 /tmp/app1.raw
     runas testuser systemd-run --wait --user --unit=test-extension-dir \
         -p ExtensionDirectories=/tmp/app2 \
         -p TemporaryFileSystem=/run -p RootDirectory=/tmp/img \
diff --git a/test/units/testsuite-50.dissect.sh b/test/units/testsuite-50.dissect.sh
index 34e60aa76f0..de69b72ef12 100755
--- a/test/units/testsuite-50.dissect.sh
+++ b/test/units/testsuite-50.dissect.sh
@@ -9,9 +9,16 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
+BIND_LOG_SOCKETS=(
+    --property BindReadOnlyPaths=/dev/log
+    --property BindReadOnlyPaths=/run/systemd/journal/socket
+    --property BindReadOnlyPaths=/run/systemd/journal/stdout
+)
+
 systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \
     grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"'
 systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1"
+# shellcheck disable=SC2153
 systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F -f <(sed 's/"//g' "$OS_RELEASE")
 
 systemd-dissect --list "$MINIMAL_IMAGE.raw" | grep -q '^etc/os-release$'
@@ -73,19 +80,21 @@ fi
 systemd-dissect --umount "$IMAGE_DIR/mount"
 systemd-dissect --umount "$IMAGE_DIR/mount2"
 
-systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /usr/lib/os-release | grep -q -F "MARKER=1"
+systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1"
 mv "$MINIMAL_IMAGE.verity" "$MINIMAL_IMAGE.fooverity"
 mv "$MINIMAL_IMAGE.roothash" "$MINIMAL_IMAGE.foohash"
 systemd-run -P \
             -p RootImage="$MINIMAL_IMAGE.raw" \
             -p RootHash="$MINIMAL_IMAGE.foohash" \
             -p RootVerity="$MINIMAL_IMAGE.fooverity" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 # Let's use the long option name just here as a test
 systemd-run -P \
             --property RootImage="$MINIMAL_IMAGE.raw" \
             --property RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             --property RootVerity="$MINIMAL_IMAGE.fooverity" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 mv "$MINIMAL_IMAGE.fooverity" "$MINIMAL_IMAGE.verity"
 mv "$MINIMAL_IMAGE.foohash" "$MINIMAL_IMAGE.roothash"
@@ -133,48 +142,56 @@ systemd-run --wait -P \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             -p MountAPIVFS=yes \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 systemd-run --wait -P \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             -p RootImagePolicy='*' \
             -p MountAPIVFS=yes \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 (! systemd-run --wait -P \
                -p RootImage="$MINIMAL_IMAGE.gpt" \
                -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
                -p RootImagePolicy='~' \
                -p MountAPIVFS=yes \
+               "${BIND_LOG_SOCKETS[@]}" \
                cat /usr/lib/os-release | grep -q -F "MARKER=1")
 (! systemd-run --wait -P \
                -p RootImage="$MINIMAL_IMAGE.gpt" \
                -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
                -p RootImagePolicy='-' \
                -p MountAPIVFS=yes \
+               "${BIND_LOG_SOCKETS[@]}" \
                cat /usr/lib/os-release | grep -q -F "MARKER=1")
 (! systemd-run --wait -P \
                -p RootImage="$MINIMAL_IMAGE.gpt" \
                -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
                -p RootImagePolicy='root=absent' \
                -p MountAPIVFS=yes \
+               "${BIND_LOG_SOCKETS[@]}" \
                cat /usr/lib/os-release | grep -q -F "MARKER=1")
 systemd-run --wait -P \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             -p RootImagePolicy='root=verity' \
             -p MountAPIVFS=yes \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 systemd-run --wait -P \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             -p RootImagePolicy='root=signed' \
             -p MountAPIVFS=yes \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 (! systemd-run --wait -P \
                -p RootImage="$MINIMAL_IMAGE.gpt" \
                -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
                -p RootImagePolicy='root=encrypted' \
                -p MountAPIVFS=yes \
+               "${BIND_LOG_SOCKETS[@]}" \
                cat /usr/lib/os-release | grep -q -F "MARKER=1")
 
 systemd-dissect --root-hash "$MINIMAL_IMAGE_ROOTHASH" --mount "$MINIMAL_IMAGE.gpt" "$IMAGE_DIR/mount"
@@ -194,14 +211,17 @@ systemd-run -P \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             -p MountAPIVFS=yes \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 systemd-run -P \
             -p RootImage="$MINIMAL_IMAGE.raw" \
             -p RootImageOptions="root:nosuid,dev home:ro,dev ro,noatime" \
+            "${BIND_LOG_SOCKETS[@]}" \
             mount | grep -F "squashfs" | grep -q -F "nosuid"
 systemd-run -P \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootImageOptions="root:ro,noatime root:ro,dev" \
+            "${BIND_LOG_SOCKETS[@]}" \
             mount | grep -F "squashfs" | grep -q -F "noatime"
 
 mkdir -p "$IMAGE_DIR/result"
@@ -214,6 +234,7 @@ TemporaryFileSystem=/run
 RootImage=$MINIMAL_IMAGE.raw
 RootImageOptions=root:ro,noatime home:ro,dev relatime,dev
 RootImageOptions=nosuid,dev
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 EOF
 systemctl start testservice-50a.service
 grep -F "squashfs" "$IMAGE_DIR/result/a" | grep -q -F "noatime"
@@ -230,6 +251,7 @@ RootImageOptions=root:ro,noatime,nosuid home:ro,dev nosuid,dev
 RootImageOptions=home:ro,dev nosuid,dev,%%foo
 # this is the default, but let's specify once to test the parser
 MountAPIVFS=yes
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 EOF
 systemctl start testservice-50b.service
 grep -F "squashfs" "$IMAGE_DIR/result/b" | grep -q -F "noatime"
@@ -262,23 +284,27 @@ systemd-run -P \
             -p TemporaryFileSystem=/run \
             -p RootImage="$MINIMAL_IMAGE.raw" \
             -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/os-release | grep -q -F "MARKER=1"
 systemd-run -P \
             -p TemporaryFileSystem=/run \
             -p RootImage="$MINIMAL_IMAGE.raw" \
             -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
 systemd-run -P \
             -p TemporaryFileSystem=/run \
             -p RootImage="$MINIMAL_IMAGE.gpt" \
             -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
             -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
 cat >/run/systemd/system/testservice-50c.service <<EOF
 [Service]
 MountAPIVFS=yes
 TemporaryFileSystem=/run
 RootImage=$MINIMAL_IMAGE.raw
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 MountImages=$MINIMAL_IMAGE.gpt:/run/img1:root:noatime:home:relatime
 MountImages=$MINIMAL_IMAGE.raw:/run/img2\:3:nosuid
 ExecStart=bash -c "cat /run/img1/usr/lib/os-release >/run/result/c"
@@ -324,44 +350,53 @@ systemctl is-active testservice-50d.service
 
 # ExtensionImages will set up an overlay
 systemd-run -P \
-            --property ExtensionImages=/usr/share/app0.raw \
+            --property ExtensionImages=/tmp/app0.raw \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /opt/script0.sh | grep -q -F "extension-release.app0"
 systemd-run -P \
-            --property ExtensionImages=/usr/share/app0.raw \
+            --property ExtensionImages=/tmp/app0.raw \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 systemd-run -P \
-            --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+            --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /opt/script0.sh | grep -q -F "extension-release.app0"
 systemd-run -P \
-            --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+            --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 systemd-run -P \
-            --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+            --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /opt/script1.sh | grep -q -F "extension-release.app2"
 systemd-run -P \
-            --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
+            --property ExtensionImages="/tmp/app0.raw /tmp/app1.raw" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
 systemd-run -P \
-            --property ExtensionImages=/usr/share/app-nodistro.raw \
+            --property ExtensionImages=/tmp/app-nodistro.raw \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 systemd-run -P \
             --property ExtensionImages=/etc/service-scoped-test.raw \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
 # Check that using a symlink to NAME-VERSION.raw works as long as the symlink has the correct name NAME.raw
-mkdir -p /usr/share/symlink-test/
-cp /usr/share/app-nodistro.raw /usr/share/symlink-test/app-nodistro-v1.raw
-ln -fs /usr/share/symlink-test/app-nodistro-v1.raw /usr/share/symlink-test/app-nodistro.raw
+mkdir -p /tmp/symlink-test/
+cp /tmp/app-nodistro.raw /tmp/symlink-test/app-nodistro-v1.raw
+ln -fs /tmp/symlink-test/app-nodistro-v1.raw /tmp/symlink-test/app-nodistro.raw
 systemd-run -P \
-            --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
+            --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 
 # Symlink check again but for confext
@@ -371,17 +406,20 @@ ln -fs /etc/symlink-test/service-scoped-test-v1.raw /etc/symlink-test/service-sc
 systemd-run -P \
             --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
 # And again mixing sysext and confext
 systemd-run -P \
-    --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
+    --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \
     --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
     --property RootImage="$MINIMAL_IMAGE.raw" \
+    "${BIND_LOG_SOCKETS[@]}" \
     cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
 systemd-run -P \
-    --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
+    --property ExtensionImages=/tmp/symlink-test/app-nodistro.raw \
     --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
     --property RootImage="$MINIMAL_IMAGE.raw" \
+    "${BIND_LOG_SOCKETS[@]}" \
     cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 
 cat >/run/systemd/system/testservice-50e.service <<EOF
@@ -390,7 +428,8 @@ MountAPIVFS=yes
 TemporaryFileSystem=/run /var/lib
 StateDirectory=app0
 RootImage=$MINIMAL_IMAGE.raw
-ExtensionImages=/usr/share/app0.raw /usr/share/app1.raw:nosuid
+ExtensionImages=/tmp/app0.raw /tmp/app1.raw:nosuid
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 # Relevant only for sanitizer runs
 UnsetEnvironment=LD_PRELOAD
 ExecStart=bash -c '/opt/script0.sh | grep ID'
@@ -406,8 +445,8 @@ VBASE="vtest$RANDOM"
 VDIR="/tmp/$VBASE.v"
 mkdir "$VDIR"
 
-ln -s /usr/share/app0.raw "$VDIR/${VBASE}_0.raw"
-ln -s /usr/share/app1.raw "$VDIR/${VBASE}_1.raw"
+ln -s /tmp/app0.raw "$VDIR/${VBASE}_0.raw"
+ln -s /tmp/app1.raw "$VDIR/${VBASE}_1.raw"
 
 systemd-run -P -p ExtensionImages="$VDIR" bash -c '/opt/script1.sh | grep ID'
 
@@ -418,46 +457,56 @@ mkdir -p "$IMAGE_DIR/app0" "$IMAGE_DIR/app1" "$IMAGE_DIR/app-nodistro" "$IMAGE_D
 (! systemd-run -P \
                --property ExtensionDirectories="$IMAGE_DIR/nonexistent" \
                --property RootImage="$MINIMAL_IMAGE.raw" \
+               "${BIND_LOG_SOCKETS[@]}" \
                cat /opt/script0.sh)
 (! systemd-run -P \
                --property ExtensionDirectories="$IMAGE_DIR/app0" \
                --property RootImage="$MINIMAL_IMAGE.raw" \
+               "${BIND_LOG_SOCKETS[@]}" \
                cat /opt/script0.sh)
-systemd-dissect --mount /usr/share/app0.raw "$IMAGE_DIR/app0"
-systemd-dissect --mount /usr/share/app1.raw "$IMAGE_DIR/app1"
-systemd-dissect --mount /usr/share/app-nodistro.raw "$IMAGE_DIR/app-nodistro"
+systemd-dissect --mount /tmp/app0.raw "$IMAGE_DIR/app0"
+systemd-dissect --mount /tmp/app1.raw "$IMAGE_DIR/app1"
+systemd-dissect --mount /tmp/app-nodistro.raw "$IMAGE_DIR/app-nodistro"
 systemd-dissect --mount /etc/service-scoped-test.raw "$IMAGE_DIR/service-scoped-test"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app0" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /opt/script0.sh | grep -q -F "extension-release.app0"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app0" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /opt/script0.sh | grep -q -F "extension-release.app0"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /opt/script1.sh | grep -q -F "extension-release.app2"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/app-nodistro" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
 systemd-run -P \
             --property ExtensionDirectories="$IMAGE_DIR/service-scoped-test" \
             --property RootImage="$MINIMAL_IMAGE.raw" \
+            "${BIND_LOG_SOCKETS[@]}" \
             cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
 cat >/run/systemd/system/testservice-50f.service <<EOF
 [Service]
@@ -465,6 +514,7 @@ MountAPIVFS=yes
 TemporaryFileSystem=/run /var/lib
 StateDirectory=app0
 RootImage=$MINIMAL_IMAGE.raw
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 ExtensionDirectories=$IMAGE_DIR/app0 $IMAGE_DIR/app1
 # Relevant only for sanitizer runs
 UnsetEnvironment=LD_PRELOAD
@@ -493,7 +543,7 @@ systemd-dissect --umount "$IMAGE_DIR/app1"
 
 # Test that an extension consisting of an empty directory under /etc/extensions/ takes precedence
 mkdir -p /var/lib/extensions/
-ln -s /usr/share/app-nodistro.raw /var/lib/extensions/app-nodistro.raw
+ln -s /tmp/app-nodistro.raw /var/lib/extensions/app-nodistro.raw
 systemd-sysext merge
 grep -q -F "MARKER=1" /usr/lib/systemd/system/some_file
 systemd-sysext unmerge
@@ -534,7 +584,7 @@ ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_33.raw"
 ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_34.raw"
 ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_35.raw"
 
-systemd-run -P -p RootImage="$VDIR" cat /usr/lib/os-release | grep -q -F "MARKER=1"
+systemd-run -P -p RootImage="$VDIR" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1"
 
 rm "$VDIR/${VBASE}_33.raw" "$VDIR/${VBASE}_34.raw" "$VDIR/${VBASE}_35.raw"
 rmdir "$VDIR"
@@ -612,6 +662,7 @@ systemd-run --unit=test-root-ephemeral \
     -p RootDirectory=/tmp/img \
     -p RootEphemeral=yes \
     -p Type=exec \
+    "${BIND_LOG_SOCKETS[@]}" \
     bash -c "touch /abc && sleep infinity"
 test -n "$(ls -A /var/lib/systemd/ephemeral-trees)"
 systemctl stop test-root-ephemeral
@@ -661,11 +712,11 @@ grep -q -F "MARKER_CONFEXT_123" /etc/testfile
 systemd-confext unmerge
 rm -rf /run/confexts/ testjob/
 
-systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /run/host/os-release | cmp "$OS_RELEASE"
+systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /run/host/os-release | cmp "$OS_RELEASE"
 
 # Test that systemd-sysext reloads the daemon.
 mkdir -p /var/lib/extensions/
-ln -s /usr/share/app-reload.raw /var/lib/extensions/app-reload.raw
+ln -s /tmp/app-reload.raw /var/lib/extensions/app-reload.raw
 systemd-sysext merge --no-reload
 # the service should not be running
 (! systemctl --quiet is-active foo.service)
diff --git a/test/units/testsuite-50.sh b/test/units/testsuite-50.sh
index 8c4d2bfc3f9..d014e824fce 100755
--- a/test/units/testsuite-50.sh
+++ b/test/units/testsuite-50.sh
@@ -6,6 +6,9 @@ set -o pipefail
 # shellcheck source=test/units/test-control.sh
 . "$(dirname "$0")"/test-control.sh
 
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
 # Setup shared stuff & run all subtests
 
 at_exit() {
@@ -103,6 +106,8 @@ cp -v /usr/share/minimal* "$IMAGE_DIR/"
 MINIMAL_IMAGE="$IMAGE_DIR/minimal_0"
 MINIMAL_IMAGE_ROOTHASH="$(<"$MINIMAL_IMAGE.roothash")"
 
+install_extension_images
+
 OS_RELEASE="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"
 
 if systemctl --version | grep -q -- +OPENSSL ; then
diff --git a/test/units/util.sh b/test/units/util.sh
index dc5dd1e1ecc..8eea263135b 100755
--- a/test/units/util.sh
+++ b/test/units/util.sh
@@ -241,3 +241,123 @@ maybe_umount_usr_overlay() {
         umount -l /usr
     fi
 }
+
+install_extension_images() {
+        local os_release
+        os_release="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"
+
+        # Rolling distros like Arch do not set VERSION_ID
+        local version_id=""
+        if grep -q "^VERSION_ID=" "$os_release"; then
+            version_id="$(grep "^VERSION_ID=" "$os_release")"
+        fi
+
+        local initdir="/var/tmp/app0"
+        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
+        grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app0"
+        echo "$version_id" >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
+        (
+            echo "$version_id"
+            echo "SYSEXT_IMAGE_ID=app"
+        ) >>"$initdir/usr/lib/extension-release.d/extension-release.app0"
+        cat >"$initdir/usr/lib/systemd/system/app0.service" <<EOF
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/opt/script0.sh
+TemporaryFileSystem=/var/lib
+StateDirectory=app0
+RuntimeDirectory=app0
+EOF
+        cat >"$initdir/opt/script0.sh" <<EOF
+#!/bin/bash
+set -e
+test -e /usr/lib/os-release
+echo bar >\${STATE_DIRECTORY}/foo
+cat /usr/lib/extension-release.d/extension-release.app0
+EOF
+        chmod +x "$initdir/opt/script0.sh"
+        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
+        mksquashfs "$initdir" /tmp/app0.raw -noappend
+
+        initdir="/var/tmp/conf0"
+        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt"
+        grep "^ID=" "$os_release" >"$initdir/etc/extension-release.d/extension-release.conf0"
+        echo "$version_id" >>"$initdir/etc/extension-release.d/extension-release.conf0"
+        (
+            echo "$version_id"
+            echo "CONFEXT_IMAGE_ID=app"
+        ) >>"$initdir/etc/extension-release.d/extension-release.conf0"
+        echo MARKER_1 >"$initdir/etc/systemd/system/some_file"
+        mksquashfs "$initdir" /tmp/conf0.raw -noappend
+
+        initdir="/var/tmp/app1"
+        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"
+        grep "^ID=" "$os_release" >"$initdir/usr/lib/extension-release.d/extension-release.app2"
+        (
+            echo "$version_id"
+            echo "SYSEXT_SCOPE=portable"
+            echo "SYSEXT_IMAGE_ID=app"
+            echo "SYSEXT_IMAGE_VERSION=1"
+            echo "PORTABLE_PREFIXES=app1"
+        ) >>"$initdir/usr/lib/extension-release.d/extension-release.app2"
+        setfattr -n user.extension-release.strict -v false "$initdir/usr/lib/extension-release.d/extension-release.app2"
+        cat >"$initdir/usr/lib/systemd/system/app1.service" <<EOF
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/opt/script1.sh
+StateDirectory=app1
+RuntimeDirectory=app1
+EOF
+        cat >"$initdir/opt/script1.sh" <<EOF
+#!/bin/bash
+set -e
+test -e /usr/lib/os-release
+echo baz >\${STATE_DIRECTORY}/foo
+cat /usr/lib/extension-release.d/extension-release.app2
+EOF
+        chmod +x "$initdir/opt/script1.sh"
+        echo MARKER=1 >"$initdir/usr/lib/systemd/system/other_file"
+        mksquashfs "$initdir" /tmp/app1.raw -noappend
+
+        initdir="/var/tmp/app-nodistro"
+        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
+        (
+            echo "ID=_any"
+            echo "ARCHITECTURE=_any"
+        ) >"$initdir/usr/lib/extension-release.d/extension-release.app-nodistro"
+        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
+        mksquashfs "$initdir" /tmp/app-nodistro.raw -noappend
+
+        initdir="/var/tmp/service-scoped-test"
+        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system"
+        (
+            echo "ID=_any"
+            echo "ARCHITECTURE=_any"
+        ) >"$initdir/etc/extension-release.d/extension-release.service-scoped-test"
+        echo MARKER_CONFEXT_123 >"$initdir/etc/systemd/system/some_file"
+        mksquashfs "$initdir" /etc/service-scoped-test.raw -noappend
+
+        # We need to create a dedicated sysext image to test the reload mechanism. If we share an image to install the
+        # 'foo.service' it will be loaded from another test run, which will impact the targeted test.
+        initdir="/var/tmp/app-reload"
+        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system"
+        (
+            echo "ID=_any"
+            echo "ARCHITECTURE=_any"
+            echo "EXTENSION_RELOAD_MANAGER=1"
+        ) >"$initdir/usr/lib/extension-release.d/extension-release.app-reload"
+        mkdir -p "$initdir/usr/lib/systemd/system/multi-user.target.d"
+        cat >"$initdir/usr/lib/systemd/system/foo.service" <<EOF
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=echo foo
+
+[Install]
+WantedBy=multi-user.target
+EOF
+        echo -e "[Unit]\nUpholds=foo.service" >"$initdir/usr/lib/systemd/system/multi-user.target.d/10-foo-service.conf"
+        mksquashfs "$initdir" /tmp/app-reload.raw -noappend
+}